Storing custom signed data in the key
Tomasz Buchert
tomasz at debian.org
Sat Aug 17 18:45:24 CEST 2019
Hey Gnupg users,
what would be the most "canonical" way to store arbitrary, signed data
along the gpg key? And then: what is the programmatic way of extracting
said data?
My specific usecase is putting a signify [1] public key inside my GPG
key, so that I can leverage key distribution to push my signify key.
After some digging, I was able to add a "notation" to one of my UIDs,
using "edit-key" + "notation", and now I have a signed notation inside
a self-sig. See:
$ gpg --no-options --list-options show-notation --check-sigs KEYID | grep pub at signify
Signature notation: pub at signify=SIGNIFYKEY
This extraction process seems dangerous to me, however, since an
attacker could add a dummy signature on my key with the same
notation. I can improve the above by interpreting the input more
thoroughly, since the notation follows the signature info:
sig!3 N KEYID 2019-08-17 User Example <user at example.com>
Signature notation: pub at signify=SIGNIFYKEY
By checking the signature verification status ("sig!") and KEYID I can
ensure that the notation is valid.
Does it make sense? Is it a good idea? What would be a better way?
Cheers,
Tomasz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190817/7415a911/attachment.sig>
More information about the Gnupg-users
mailing list